There Is No Preview Available For This Item
This item does not appear to have any files that can be experienced on Archive.org.
Please download files in this item to interact with them on your computer.
Show all files
In an empirical study of 3241 Red Hat packages, we show that software vulnerabilities correlate with dependencies between packages. With formal concept analysis and statistical hypothesis testing, we identify dependencies that decrease the risk of vulnerabilities ('beauties') or increase the risk ('beasts'). Using support vector machines on dependency data, our prediction models successfully and consistently catch about two thirds of vulnerable packages (median recall of 0.65). When our models predict a package as vulnerable, it is correct more than eight times out of ten (median precision of 0.83). Out of 25 packages predicted to contain unknown vulnerabilities in January 2008, 9 needed fixing within six months, and another one was found to be vulnerable recently. Our findings help developers to choose new dependencies wisely and make them aware of risky dependencies.
Joint work with Thomas Zimmermann (Microsoft Research)